PCAOB Alert on Company-Produced Evidence
The PCAOB has published fresh advice for audit firms about how to evaluate data and reports provided by their client companies. Internal audit teams might want to take note, since such PCAOB “advice” has a habit of soon becoming new demands placed upon you by your auditor.
The report, blandly titled “Inspection Observations Related to Auditor Use of Data and Reports,” was released last week. It warned that the Public Company Accounting Oversight Board has seen “significant and consistent rates of deficiencies” in how auditors evaluate evidence from third parties and in how they test information produced by their clients, and offered numerous suggestions on how audit firms can do better on both fronts.
Those suggestions could have significant implications for the control testing that audit firms perform during the annual financial audit. Therefore internal auditors should pay attention to the report’s recommendations, so that you can anticipate your external auditors’ needs and keep your audit fees as minimally outrageous as possible.
The material in the report can be divided into three categories:
- Common audit deficiencies the PCAOB noticed in audit firm inspections;
- Good practices the PCAOB wants audit firms to embrace; and
- Other reminders that can help audit firms understand how to properly test IPC and information from external sources.
So let’s take a look at some of the details.
‘Understand the Source of the Data’
If the PCAOB bulletin could be boiled down into any single idea, the above headline would be it. Audit firms must be able to understand the sources of data (both internal and external) about the client company, so that the audit firm can better decide the procedures it will need to use to test the completeness and accuracy of the data and to evaluate its relevance as evidence.
In other words, the more clearly the auditor understands where your data came from, the more quickly it will be able to decide how to test and evaluate that data. Which saves you money.
Hence it’s so important to move your internal reporting processes away from spreadsheets, toward more robust systems such as Workiva, AuditBoard, Hyperproof, SAP, or some other audit management software system. Those systems provide more transparency and clarity into your company’s data, which is exactly what the PCAOB is urging audit firms to identify.
The PCAOB report also talked about “service auditors’ reports” — that is, the SOC 1 or SOC 2 reports that service providers generate, to ease the minds of publicly traded companies using those providers for help with financial reporting or data management. (SOC 1 reports provide assurance over a provider’s financial reporting controls; SOC 2 does the same for data security controls.)
If the service auditor’s report doesn’t provide audit evidence regarding the accuracy and completeness of information, the PCAOB report says, the auditor should perform procedures as needed itself to establish those facts. So that’s another item for the internal audit team’s radar screen: scope your SOC reports so that they address those completeness and accuracy issues directly; otherwise the audit firm will reperform that work itself and then send you the bill.
The report had advice about the use of specialists, too. If the audit firm is relying on data from a specialist within the client company (say, growth projections that someone in your market research department cooked up), the auditor must test the completeness and accuracy of the data that specialist used and evaluate the reliability of any external data your specialist might have used to produce his or her numbers.
So, again, on the internal side: Are there ways you and your specialists can anticipate those concerns? For example, could you improve the procedures your specialist uses when gathering external data, so auditors will be able to assess the relevance more easily? Could you document your controls more clearly, so that completeness and accuracy are more plainly visible?
Specific Examples of Shortcomings
The rest of the report listed numerous examples of deficiencies that PCAOB inspectors had found during their audit firm inspections. Among them:
- The company used a service vendor to process revenue transactions. The audit firm did test controls for the completeness and accuracy of data provided by that vendor, but did not test the effectiveness of complementary user controls that the vendor had told the client company to implement.
- Instances where audit firms didn’t perform any procedures to evaluate the relevance and reliability of information provided by external parties, such as risk-free rates and equity-risk premiums, that were used in assessing long-lived assets for impairment.
- Audit firms failed to test the accuracy and completeness of the non-financial data prepared by the company and non-financial information used by the company’s specialists in developing an estimate, such as reserves in the oil and gas industry.
The report offers plenty more examples beyond that, in a two-column format that explains the relevant auditing standard and then offers examples of how audit firms failed to live up to that standard. For anyone working on the design of internal controls, it’s an excellent glimpse into how audit firms at least should be approaching the audit, even if many firms fall short.
That does bring us to one final question. Does any of this stuff really matter? Like, will audit firms respond to this PCAOB alert by paying more attention to how they test your internal controls? Or will the firms continue to pay little heed to these warnings, and therefore you can too?
You on the front lines would know better than me, but let’s remember that PCAOB leadership is on the warpath about poor audit work lately. They want to see fewer deficiencies at audit firms, and companies’ increased reliance on data, system-generated reports, and the like means that this is a prime area for attention.
Best that you pay attention to such issues first, rather than your audit firm jump on them and drive you crazy later.